Newsletters: Newsbites

SANS NewsBites is a semiweekly high-level executive summary of the most important news articles that have been published on computer security during the last week. Each news item is very briefly summarized and includes a reference on the web for detailed information, if possible.

Spend five minutes per week to keep up with the high-level perspective of all the latest security news. New issues are delivered free every Tuesday and Friday.

Volume VI - Issue #5

February 04, 2004

This week, we've added a special section on the Mydoom virus because of the many stories it has spawned. By the way, it is a virus, not a worm. A virus requires users to make active errors (opening unanticipated attachments in this case). Perhaps that's a silver lining in the Mydoom cloud. It may help educate users that opening attachments is very dangerous, even when they seem to come from friends and family and co-workers and the technical staff.

One of the useful resources that SANS provides is access to vendor white papers. Sometimes they are marketing drivel, but often they reflect solid research and contain very valuable analysis. Along with the new poster you received, we've made 15 new white papers available (free) from the poster's sponsors at http://www.sans.org/tools.php. They cover topics including DoS Protection, Security Legislation, Auditing, Event Management and more. Registration is required - that's why the vendors make them available free.

Security managers and analysts, system and network administrators, auditors and forensic analysts will each find immersion training focused on their special needs, and all taught by the highest-rated instructors in the US. And it is all in Orlando Florida, in early April.
http://www.sans.org/sans2004

OMB Predicts More than 50% of Agency IT Systems Will be Secure by Summer (28 January 2004)

The Office of Management and Budget (OMB) expects that just over half of government agency IT systems will be accredited and certified secure when it releases its annual report this summer. The OMB is developing FISMA implementation guidelines for the agencies. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24777[Editor's Note (Paller): Progress on security should be applauded, and the 50% mark certainly is progress. However, as the Department of Defense has discovered, the C&A process is a snapshot in time that completely ignores the critical impact of constant change that make active networked systems vulnerable hours or days after a C&A has been completed. The US Department of Defense is about to change the way it does C&A. Civilian agencies should change to the continuous monitoring method, as well, and soon. ]

Heckenkamp (eBay and Qualcomm Hacker) Pleads Guilty (2 February 2004)

Jerome Heckenkamp has pleaded guilty to breaking into eBay and Qualcomm computers; he has also admitted to a number of other intrusions and to having caused $70,000 in losses. Prosecutors agreed to ask for no more than two years in prison and "not to seek" job-related computer use restrictions during his supervised release. Sentencing is set for May 10. -http://www.securityfocus.com/news/7959[Editor's Note (Schneier): And thus ends the Heckencamp case, at least for now. While the actual intrusions may have caused real damage, watching the progress of this case has made me think more of terms like "farce" and "comedy of errors" than "serious hacker." (Ranum): Allowing him to use his computer is a good idea. If Heckenkamp's computer use was restricted, he'd no doubt have to pursue becoming an author or lecturer and we'd have to deal with another smug self-serving screed by a hacker-turned-security-visionary. ]

Peer-to-Peer Liability Case is Back in Court (2 February 2004)

The 9th US Circuit Court of Appeals is reviewing a lower court decision that said that the parent companies of decentralized peer-to-peer file sharing networks were not liable for copyright infringement that occurred on those networks; the judge in that case also ruled that such decentralized file-swapping tools were legal. -http://news.com.com/2102-1027_3-5152269.html?tag=st_util_print

Sardonix Calls it Quits (30 January 2004)

The Sardonix project, which hoped to provide structure for open source code review, will be closing down because it didn't attract the necessary volume of volunteer auditors. Sardonix was initially funded by a Defense Advanced Research Projects Agency (DARPA) grant. -http://www.securityfocus.com/news/7947

Warner Bros. Files Suit Against Man For Alleged Role in Film Piracy (29 January 2004)

The Warner Brothers film studio has filed a lawsuit against Carmine Caridi, the Academy of Motion Picture Arts and Sciences member who allegedly sent screener copies of films to a man in Illinois, who subsequently digitized them and put them on the Internet. Ten other unnamed defendants listed in the suit are alleged to have been involved with a scheme to distribute movies on the Internet. -http://www.wired.com/news/print/0,1294,62102,00.html[Editor's Note (Schultz): This superficially sounds great, but I wonder how many users will know how to verify a digital signature when most users do not even know what a digital signature is. ]

ISAC Officials Question New Alert System (29 January 2004)

Senior officials from IT and financial services Information Sharing and Analysis Centers (ISACs) have spoken critically of the Department of Homeland Security's (DHS) decision to launch a national Cyber Alert System without making clear how the private sector fits into the picture. They say that the alert program appears to be geared toward home users and small businesses instead of the medium and large companies that comprise much of the nation's critical infrastructure. -http://www.computerworld.com/printthis/2004/0,4814,89550,00.html[Editor's Note (Grefer): ISAC should keep in mind that medium and large sized companies typically already have information security savvy staff who stay up-to-date on IT security issues, including alerts. The DHS initiative can help tens of thousands of organizations that are not connected with ISACs and may not have such strong in-house talent. ]

Congressmen Tom Davis (R-Va.) and Adam Putnam (R-Fla.) take the need for improving federal agency IT security seriously. Davis, who chairs the House Government Reform Committee, says he plans to hold a hearing this spring on at least two contracts that did not take the Federal Information Security Management Act (FISMA) into account. Putnam has sent letters to agency secretaries requesting to meet with their CIOs to discuss their IT security action plans. -http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=24775[Editor's Note (Paller): Congressman Davis' Congressional oversight initiative is exactly what is needed to kick start the implementation of critical elements of FISMA. For example, prior to a December meeting, many agencies were completely unaware that FISMA requires them to establish minimum security configuration benchmarks and to ensure that their computers comply with those requirements. Similar oversight hearings by either Congressman Davis or Congressman Putnam on how that requirement is being implemented will result in rapid improvement of security configurations in federal agencies. (Schultz and other editors): Rep. Putnam is a particularly strong advocate of information security within the US government. He has repeatedly faced tough opposition, but has heroically persevered in his efforts. ]

Former Microsoft Employee Convicted and Sentenced for Software Theft (28 January 2004)

Please feel free to share this with interested parties via email, but no posting is allowed on web sites. For a free subscription, (and for free posters) or to update a current subscription, visit
http://portal.sans.org/